This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Network Config Issue - Two Subnets - One WAN - Proxy doesn't work on secondary LAN

I'll try to keep the details and summary short and sweet. Hopefully someone can point me in the right direction.

We just upgraded from an Astaro UTM to a Sophos SG330. We simply backed up the UTM config, uploaded it to the sg 330 and then applied the license file. Everything seems to have crossed over fine. I thought, for awhile that everything had gone smoothly. HOWEVER, we have no proxy on our secondary (remote) LAN. Any browser trying to pass through the proxy gets a browser "this page can't be displayed" message.

Network setup: 

INTERNET -> CISCOASA -> SG330 (eth1 and 0 bridged mode) -> Internal LAN1 -> Layer 3 Switch /Router -> LAN2

We have a direct fiber line to a building in another town that is on a different subnet. All routing between these two subnets is done behind the SG330 by a switch/router. 

Prior to the upgrade everything was great. An http request comes in from LAN2 hits the router and then passes through the SG330 (in bridge mode) on its way to the internet.

Now, the proxy doesn't work for LAN2. Works fine with LAN1 (the LAN it's "part of")

I hope that makes sense. Where do I start?

 

I can see this in the Network Log:

 

13:06:12 Default DROP TCP [PC on LAN2 IP] : 49596? [SG 330 IP Address] : 80 [SYN] len=48 ttl=127 tos=0x00 srcmac=[MAC] dstmac=[MAC]

 

Thanks



This thread was automatically locked due to age.
Parents
  • If apijnappels' idea wasn't your problem, please show us the corresponding line from the full Firewall log file, not the Live Log.  Also, leave enough of the IPs visible so that we know what's happening.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • So it appears to actually happen on both networks. 

    But only to computers who connect through our IP phones. the IP phones are on their own network. So the phone is connected to the LAN and gets a 192.168.20.X address, the computer connects to the phone and gets a 192.1.1.X address.

    *Please disregard the wacky IP scheme (public addressing... this was done before my time here.)*

    Computers connected to through phones get dropped. Computers directly connected to the LAN work fine. 

    Mostly... I'm connected through a phone right now and not being dropped. Is this a NAT issue?

    192.1.1.149 is the IP of the bridged interface on our SG 330. It's also dropping HUNDREDS of packets from our main domain controller to the sophos...

    Firewall example:

    2016:12:06-15:15:02 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:XX:15:8c:a8" srcip="192.1.1.41" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="62936" dstport="80" tcpflags="SYN" 
    2016:12:06-15:15:05 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:XX:15:8c:a8" srcip="192.1.1.41" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="62936" dstport="80" tcpflags="SYN" 
    2016:12:06-15:15:11 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:XX:15:XX:a8" srcip="192.1.1.41" dstip="192.1.1.149" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="62936" dstport="80" tcpflags="SYN" 
    2016:12:06-15:15:52 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.1.41" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="62938" dstport="80" tcpflags="SYN" 
    2016:12:06-15:15:55 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.1.41" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="62938" dstport="80" tcpflags="SYN" 
    2016:12:06-15:16:01 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="78:e3:b5:XX:d1:78" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.1.41" dstip="192.1.1.149" 

    Domain Controller example: In the live log these say DNS.
    2016:12:06-00:05:56 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" mark="0x207c" app="124" srcmac="00:15:5d:01:eb:01" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.1.241" dstip="192.1.1.149" proto="17" length="88" tos="0x00" prec="0x00" ttl="128" srcport="58748" dstport="53" 
  • Why would the device at 192.1.1.41 be trying to reach the UTM on port 80?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That... I don't understand. The proxy settings in IE are configured to use 8080. The SG is running in standard mode. 

     

    I'm going to do some more digging tonight, after business hours. It's just strange to me that this is happening with a direct backup and restore from the UTM -> SG. Nothing should have changed.

  • I bet you find the device at .41 has had its Proxy Settings changed to 80 from 8080.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Proxy is set to 8080. Our IE proxy settings are controlled by group policy which didn't change with the updgrade.

    Backed up up the UTM320, shut it down. Put SG330 in rack, connected with laptop, uploaded backup to SG330 and applied license file, connect etho and eth1 identical to old setup. Power up SG330.

    Those are the steps we took. No GPO changes, no DNS changes, no network topology changes. Really strange...

    EDIT: nvm I can repeatable get the message. I've reset proxy settings, manually entering them in IE... this is very strange.

    The afflicted computers (basically any PC on the network who joins the proxy) can ping and resolve dns just fine...

     

    2016:12:07-11:05:44 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="3c:4a:92:fb:24:00" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.6.152" dstip="192.1.1.149" proto="6" length="48" tos="0x00" prec="0x20" ttl="127" srcport="53143" dstport="80" tcpflags="SYN" 
    2016:12:07-11:08:17 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="3c:4a:92:fb:24:00" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.6.152" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x20" ttl="127" srcport="53185" dstport="80" tcpflags="SYN" 
    2016:12:07-11:08:20 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="3c:4a:92:fb:24:00" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.6.152" dstip="192.1.1.149" proto="6" length="52" tos="0x00" prec="0x20" ttl="127" srcport="53185" dstport="80" tcpflags="SYN" 
    2016:12:07-11:08:26 lakelandastaro ulogd[4862]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="br0" srcmac="3c:4a:92:fb:24:00" dstmac="00:1a:8c:15:8c:a8" srcip="192.1.6.152" dstip="192.1.1.149" proto="6" length="48" tos="0x00" prec="0x20" ttl="127" srcport="53185" dstport="80" tcpflags="SYN"
  • To add more, the requests are reaching the proxy in the webfilter logs:

     EDIT: Huh... why is there no user or domain?

    2016:12:07-11:03:40 lakelandastaro httpproxy[20400]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.1.6.152" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_OCHkxcRmRb (AthensProfile)" filteraction=" ()" size="2540" request="0xdf940000" url="api.bing.com/qsml.aspx referer="" error="" authtime="8" dnstime="0" cattime="0" avscantime="0" fullreqtime="157" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions=""
    2016:12:07-11:03:40 lakelandastaro httpproxy[20400]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.1.6.152" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_OCHkxcRmRb (AthensProfile)" filteraction=" ()" size="2540" request="0xacb9800" url="api.bing.com/qsml.aspx referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="127" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions=""
    2016:12:07-11:03:40 lakelandastaro httpproxy[20400]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.1.6.152" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_OCHkxcRmRb (AthensProfile)" filteraction=" ()" size="2540" request="0xacb9800" url="api.bing.com/qsml.aspx referer="" error="" authtime="8" dnstime="0" cattime="0" avscantime="0" fullreqtime="155" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions=""
  • Sorry for the bombardment of replies and edits, more findings:

    I re-added the device to AD. And flushed the DNS on the device. I'm actually getting the proxy message now instead of "page can't be found".

    Getting closer... I'm going to laugh if it's a DNS issue.

     

    EDIT: Nope, requests are not reaching the proxy. I'm also getting certificate warnings on the computers trying to use the filter. The firewall blocks them with the default rule.

    Cert error as soon as enable the proxy in IE:

    {link deleted}

    EDIT: There are a handful (3-4 out of 140) computers that can pass traffic through the proxy without issue. All others get blocked.

  • Now all the blocks on port 80 are from .152.  How does your configuration compare to Configuring HTTP/S proxy access with AD SSO?

    Cheers - Bob

    PS I'm sorry, but I deleted the external link in your post. Please Edit that post, and insert your image into the post. We can't know if that external site is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.  Thanks in advance!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Now all the blocks on port 80 are from .152.  How does your configuration compare to Configuring HTTP/S proxy access with AD SSO?

    Cheers - Bob

    PS I'm sorry, but I deleted the external link in your post. Please Edit that post, and insert your image into the post. We can't know if that external site is properly protected. The only malware I've gotten in over 10 years was from an external link to a picture in this forum several years ago.  Thanks in advance!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Not a problem, I understand removing the link. I hesitated to post it, didn't see the Insert menu.

    I think I figured it out and it's embarrassing... keep in mind I'm more of a systems guy, fairly green with networking.

    In my attempt to enable the reply portal to SPX I forwarded port 10444 on our outside interface (our Cisco ASA) to our UTM. 

    So the cisco had a NAT rule of (outside IPs:10444) -> 192.1.1.149:10444 (our UTM) and an ACL to allow that. Somehow this was causing an issue. I thought I had removed these rules prior to posting this message, but apparently I never applied the changes. Anyway, they are gone and the proxy works...

    I guess I need to connect a different eth port to our LAN and bind an IP to it to be used for SPX portal? I'll do some more digging and probably start another thread. 

    For reference:

    Outside -> Cisco ASA -> UTM -> Company LAN